Top 10 op risks 2018: IT disruption

A wave of DDoS attacks on three Dutch banks in January 2018 neatly illustrates the continued vulnerability of the banking sector to IT disruptions through malicious cyber attack, despite vast spending on sophisticated defences.

ABN Amro suffered a series of DDoS strikes over the weekend of January 27–28 that slowed or halted its online and mobile banking services. The attacks were heavier than previous ones and lasted longer, the bank reported. Rabobank and ING also experienced attacks during the same period.

“Denial of service attacks, together with the reputational risk such denial of service will bring, is of greatest concern for systemically important banks,” says an op risk executive at a South African bank. “Our focus is on strengthening business resilience capability.”

DDoS attacks remain unpredictable and vary widely in terms of speed and complexity. Unfortunately for banks, they’re only the tip of the iceberg when it comes to disruptive threats – cyber and physical – to their networks. Malware, employee error and plain old hardware failure can be just as crippling when it comes to a loss of operational functionality.

Add in the risk of physical disruption to a bank’s network – from sources as varied as a citywide power outage, to an attack from a weaponised electromagnetic pulse – and it’s not hard to see why op risk practitioners rank IT disruption as one of the most significant operational threats facing their firms.

The disruption to services from successful ransomware attacks is usually far more costly than payment made to cyber thieves, as the 2017 WannaCry attack showed. Still harder to quantify are the thousands of man-hours invested in universal training for staff, or spent trying to trace when and where successful breaches occurred.

Ensuring resiliency against disruptive cyber attack is an impossibly broad task for op risk managers, notes the head of op risk at a US bank, taking in everything from information security controls to scenarios and war games, third-party oversight, data protection, and fraud authentication processes.

Malicious cyber attack is far from the only source of IT disruptions, as US lender Citizens Bank discovered last March when its direct deposits, online bill payment, point-of-sale, ATM and credit card systems became unavailable, which the bank attributed to a vendor processing issue.

“As more clients rely on digital interfaces, the impact and frequency of outages presents increased risk,” says the head of operational risk at a Canadian bank. “Loss of system availability to our online and mobile systems will have negative impact to client experience and our reputation.”

Many of last year’s largest IT disruptions can be attributed to faulty software. Applying fixes or updates to software flaws, known as patch management, is an area of importance as attackers may target these vulnerabilities in bank defences. The US Comptroller of the Currency has cited weaknesses in controls and governance related to information security within banks as a concern.

"Where firms are making changes to live systems and processes – updating one version of software to another – those are where we see a lot of issues with outages. They find it didn’t go right, and the next thing they know, their online banking platform goes down. Those outages only tend to last a couple of hours, but they get a lot of chatter on social media. It's a breach because change management was not done properly," says a senior source at one US regulator.

Some argue regulators’ expectations are unrealistic when it comes to cyber attacks, however. US prudential regulators say financial institutions should be capable of a two-hour return to operations following a cyber attack – analogous to the expectations for providers of core clearing and settlement systems contained in a document on sound policy practices for physical resiliency issued in 2003 by US financial authorities following the 9/11 attacks.

Op risk practitioners are increasingly questioning this stance, arguing the ability of a firm to restore a system to operations, and the time needed for doing so, varies greatly depending on the nature of the attack and the size and complexity of the system. Unlike physical disruptions such as a loss of power, which are immediately apparent and are limited to a defined location, cyber attacks are often difficult to detect or diagnose and frequently pose a risk of contagion to other systems or the market at large. Additional time is therefore required for investigating the actual cause of the operational impact and then testing and validating systems before the systems are ready for safe operation.

As more clients rely on digital interfaces, the impact and frequency of outages presents increased risk

Head of op risk at a Canadian bank

Practitioners outlined these difficulties in their response to the US regulators’ push for a two-hour return to operations. A premature return might expose a firm to further damage before the nature of the attack was fully understood, the American Bankers Association noted, adding that the timeframe was “not technically feasible”.

Regulators are looking to get smarter when it comes to cyber risk, too. The US Treasury is applying network theory to help model defensive strategies against cyber attacks on the financial system. The Office of Financial Research, a department of the Treasury, is building maps that highlight this interconnectedness between nodes within a network. Against a random attack, a hub such as a financial market utility that is connected to the largest number of nodes, would be the most important to protect. This is because its failure would cause the greatest disruption to the network. Targeted attacks, however, might necessitate the defence of hubs which have the most direct links to other hubs in the network: that is, the hub that has to travel through the fewest nodes before infecting another hub.

In spite of the scale of the threat, some banks believe regulators have taken an unco-ordinated approach to tackling it. The focus so far has been on imposing information sharing and other requirements, such as the implementation of a firm-specific cyber risk programme, on financial institutions. This has resulted in a big increase in paperwork for firms and the diversion of resources to compliance.

To help alleviate the pressure on individual banks, the Financial Systemic Analysis & Resilience Center, a co-ordinating group of eight systemically important institutions, including CME, the Depository Trust & Clearing Corp, and Intercontinental Exchange, is working to identify systemic vulnerabilities related to cyber threats. The group is an offshoot of the larger Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares information on cyber attacks across more than 5,000 organisations.

The Financial Services Sector Coordinating Council is another industry group tackling cyber risks. The group outlined specific actions the US government should take to improve cyber security in a set of recommendations published in January 2017. These include investing further in financial services supporting infrastructure and risk-based cyber research and development.